Privacy Enhancing Technologies
(PETs)

The existing legal framework

The Charter of Fundamental Rights of the European Union recognises in Article
8 the right to the protection of personal data. This fundamental right is
developed by the European legal framework on the protection of personal data
consisting mainly of the Data Protection
Directive[1] and the ePrivacy
Directive[2]. They lay down several
substantive provisions imposing obligations on the data controller and
recognizing rights to the data subject, prescribing sanctions and appropriate
remedies in cases of breach, and establishing enforcement mechanisms to make
them effective.

However, this formal scheme may face considerable obstacles to impose itself
in practice, deriving from the difficulties linked with the very technology
used, which involves data processing by different actors in different locations,
and with the hurdles intrinsic to the enforcement of national administrative and
court rulings in another jurisdiction, especially in non-EU countries.

Although strictly speaking it is data controllers who bear legal
responsibility for complying with data protection rules, also those who design
technical specifications and those who actually build or implement applications
or operating systems bear some responsibility for the data protection aspects
from a societal and ethical point of view.

A further step to pursue the aim of the legal framework whose objective is to
minimise the processing of personal data and using anonymous or pseudonymous
data where possible, could be supported by measures called Privacy Enhancing
Technologies or PETs - that would facilitate ensuring that breaches of the data
protection rules and violations of individual's rights are not only something
forbidden and subject to sanctions, but technically more difficult.

This Communication follows from the First Report
on the implementation of the Data Protection
Directive[3].

What are PETs?

The use of PETs can help to design information and communication systems and
services in a way that minimises the collection and use of personal data and
facilitate compliance with data protection rules. The use of PETs should result
in making breaches of certain data protection rules more difficult and/or
helping to detect them.

Several examples of PETs can be mentioned here.

Automatic anonymisation after a certain lapse of time support the
principle that the data processed should be kept in a form which permits
identification of data subjects for no longer than necessary for the purposes
for which the data were originally collected.

Encryption tools prevent hacking when the information is transmitted
over the Internet and support the data controller's obligation to take
appropriate measures to protect personal data against unlawful processing. .

Cookie-cutters blocking cookies placed on the user's PC to make it
perform certain instructions without him being aware of them, enhance compliance
with the principle that data must be processed fairly and lawfully, and that the
data subject must be informed about the processing going on.

The Platform for Privacy Preferences (P3P), allowing internet users
to analyze the privacy policies of websites and compare them with the user's
preferences as to the information he allows to release, helps to ensure that
data subjects' consent to processing of their data is an informed
one.

The Commission supports
PETs

The Commission expects that wider use of PETs would improve the protection of
privacy as well as help fulfil the data protection rules.

The use of PETs would be complementary to the existing legal framework and
enforcement mechanisms. In fact the intervention of different actors in the data
processing and the existence of the different national jurisdictions involved
could make enforcement of the legal framework difficult.

PETs would bring about that certain breaches to data protection rules,
resulting in invasions of fundamental rights including privacy, could be avoided
because they would be technologically more difficult to carry out. PETs need to
be applied according to a regulatory framework of enforceable data protection
rules providing a number of negotiable levels of privacy protection for all
individuals. The use of PETs does not mean that operators can be discharged of
certain of their legal obligations (e.g. granting individual users a right of
access to their data).

Important public interests could also be better served. PETs should be
developed as a tool to ensure that the law is respected and not breached. The
data protection legal framework provides that restrictions to the general
principles and interference in the rights of individuals are possible for
important public interests such as public security, the fight against crime or
public health. The conditions for that are laid down in Article 13 of the Data
Protection Directive and Article 15 of the ePrivacy Directive, and are
substantially similar to those set by Article 8 of the European Convention on
Human Rights (ECHR), namely that such interference is done in accordance with
the law and is necessary in a democratic society for important public interests.

The European Commission supports PETs

To pursue the objective of enhancing the level of privacy and data protection
in the Community the Commission intends to conduct following activities:

identifying the need and technological requirements of PETs;

Funding research on PETs: Europe contributed over 18M Euro to PET research
as part of its 6th Framework Programme (2002-06), and this expected
to increase significantly in the coming years

promoting use of PETs by industry;

ensuring respect for appropriate standards in the protection of personal
data through PETs (through standardization and coordination of national
technical rules on security measures for data processing);

promoting the use of PETs by public authorities;

raising awareness of consumers;

facilitating consumers' informed choice through Privacy
seals.

Further information on European research on PETs

European research projects in this field are funded as part of the
Information Society Technologies (IST) programme

[1] Directive 95/46/EC of
the European Parliament and of the Council of 24 October 1995 on the protection
of individuals with regard to the processing of personal data and on the free
movement of such data, OJ L 281, 23.11.1995, p. 31.

[2] Directive 2002/58/EC of
the European Parliament and of the Council of 12 July 2002 concerning the
processing of personal data and the protection of privacy in the electronic
communications sector (Directive on privacy and electronic communications), OJ L
201, 31.07.2002, p. 37.